Skip to main content
Version: 0.19.x

Agent Configuration File

While the Agent can be run using command line parameters, it can also be fully configured with a configuration file.

While there is no default location for the configuration, /etc/evebox/agent.yaml is recommended.

The EveBox Agent must also be told where to find the configuration file, for example:

evebox agent -c /etc/evebox/agent.yaml

Command line arguments will always override the configuration file.

# EveBox Agent configuration file - subject to change.

# Server information.
server:
url: http://127.0.0.1:5636

# Username and password. Note that at this time even with
# authentication enabled on the EveBox server, agents can still
# submit events without authenticating. You will need to supply and
# username and password if running behind a reverse proxy
# implementing authentication.
#username: username
#password: password

# Enable output to Elasticsearch. If enabled, the above server section
# will not be used.
elasticsearch:
enabled: true
url: http://127.0.0.1:9200
index: logstash

# Set to true if the index is a datastream.
#nodate: false

#username: username
#password: password

# Directory to store data and state information required by the agent. This
# isn't always required. If the agent has write access to the log directory it
# can store bookmark information along side the eve log files.
#data-directory: "/var/lib/evebox"

# If the EveBox server is running behind TLS and the certificate is
# self signed, certificate validation can be disabled.
#disable-certificate-check: true

# Path to Suricata Eve log files.
input:
paths:
- "/var/log/suricata/eve.json"
- "/var/log/suricata/eve.*.json"

# Additional fields that will be added to each event. This is currently limited
# to strings at this time.
additional-fields:
#sensor-name: "my super secret sensor"

# The event reader can also add the rule to alert events. Do not enable
# if you already have Suricata logging the rule.
#rules:
# - /var/lib/suricata/rules/*.rules
# - /usr/share/suricata/rules/*.rules
# - /etc/suricata/rules/*.rules